Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5B866D5CC for ; Fri, 21 Sep 2012 17:27:01 +0000 (UTC) Received: (qmail 14094 invoked by uid 500); 21 Sep 2012 17:27:01 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 14064 invoked by uid 500); 21 Sep 2012 17:27:01 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 14056 invoked by uid 99); 21 Sep 2012 17:27:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2012 17:27:01 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kelven.yang@citrix.com designates 66.165.176.63 as permitted sender) Received: from [66.165.176.63] (HELO SMTP02.CITRIX.COM) (66.165.176.63) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2012 17:26:54 +0000 X-IronPort-AV: E=Sophos;i="4.80,463,1344211200"; d="scan'208";a="208951508" Received: from sjcpmailmx01.citrite.net ([10.216.14.74]) by FTLPIPO02.CITRIX.COM with ESMTP/TLS/RC4-MD5; 21 Sep 2012 17:26:33 +0000 Received: from SJCPMAILBOX01.citrite.net ([10.216.4.72]) by SJCPMAILMX01.citrite.net ([10.216.14.74]) with mapi; Fri, 21 Sep 2012 10:26:32 -0700 From: Kelven Yang To: "cloudstack-dev@incubator.apache.org" Date: Fri, 21 Sep 2012 10:26:30 -0700 Subject: realhostip certificate role in Cloudstack Thread-Topic: realhostip certificate role in Cloudstack Thread-Index: Ac2YHj3YmypRtblCSoiMmbHqrekQqw== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.2.3.120616 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Periodically we get questions asking about what realhostip DNS name is exactly doing in CloudStack. Realhostip.com domain exists to make HTTPS work across all CloudStack installations in different customer sites, without administrators to worry about how to load a SSL certificate due to deployment environment changes. SSL certificates are used in CloudStack system VMs to host HTTPS connections, for example, console proxy VM and Secondary storage VM, both uses it in its HTTP server. Realhostip.com SSL certificate is signed with wild-match addresses, all DNS names under *.realhostip.com are qualified to use the certificate. Because of the fact that every CloudStack customer has its own environment, every each one has their own sets of system VMs in their installations and each system VM instance has their own sets of IP addresses. To use ONE certificate to apply for all these instances among different customers, we came out with a solution by providing dynamic DNS service hosted by CloudStack, the DDNS service basically translates following form of DNS names to IP addresses xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx CloudStack has control of IP address in each installation, so whenever we need a SSL certificate, does not matter which customer is running the installation, with such DDNS service is available, we can always assign it a suffix under realhostip.com domain on top of ever-changing IP addresses, this is the trick we play to make ONE SSL certificate applicable universally among all CloudStack installations. In most of these cases, the ugly formed DNS name is not visible to end users, since its main purpose is to help establish secure communication channel (not truly to certify a site), however, there are cases that customer may do care, therefore, Console proxy VM does provide customizable way for users to use their own SSL certificates Kelven